Totolink A8000RU Command Injection Vulnerability in CGI Handler

A command injection vulnerability has been identified in the Totolink A8000RU router, specifically in version 7.1cu.643_b20200521. The issue resides within the CGI handler, in the file '/cgi-bin/cstecgi.cgi'. The vulnerability is triggered by manipulating the 'wizard' parameter in the 'setWizardCfg' function, which leads to arbitrary OS command execution. This flaw can be exploited remotely, without authentication, allowing attackers to execute commands with root privileges on the device.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution with root privileges on the affected router. This could lead to a full compromise of the device and potentially allow further attacks on the connected network.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'wizard' parameter set to a crafted command, such as '`ls>./setWizardCfg.txt`'. The router will execute the command and create a text file with the command's output, confirming the injection was successful.